Posted on 11/22/2002 2:35:59 PM PST by Tailgunner Joe
U.S. Government Flunks Computer Security
The good news is that Attorney General John Ashcroft has authorized the development of a secure computer system to help the FBI track and obtain approval for surveillance warrants in the war on terror.
The bad news is that the federal government will run that computer system.
According to a newly released report from the General Accounting Office (GAO), the U.S. government failed to provide adequate computer security over its own systems. The GAO report covered computer systems operated by 24 agencies, including sensitive data manipulated by the U.S. Justice Department and the U.S. Defense Department.
The GAO report noted that the U.S. government has "significant information security weaknesses that place a broad array of federal operations and assets at risk of fraud, misuse and disruption."
According to the GAO, the federal government did not just flunk computer security. The GAO report clearly illustrated that even basic security operations are ignored, overlooked or simply broken with no concern over the consequences.
Ex-Employees Still Have Computer Access
One basic security operation is to remove computer access and log-on accounts from people who are fired, let go or no longer employed.
"Accounts and passwords for individuals no longer associated with an agency are not deleted or disabled," noted the GAO.
"As a result, in some cases, former employees and contractors could still [and in many cases did] read, modify, copy or delete data; and even after long periods of inactivity, many users' accounts had not been deactivated."
It seems that FBI turncoat Robert Hanssen could still log into secure Department of Justice computer systems from his prison cell despite being convicted of espionage.
Yet the fact is that Robert Hanssen was able to obtain a wide variety of secret computer information that he was not authorized to access while he was employed at the FBI. Hanssen, of course, managed to pass those secrets on to his Russian handlers in exchange for hard, cold cash.
Hanssen noted that he was able to do this because of his knowledge of the flawed computer security at the FBI. However, the GAO report noted that stealing U.S. government information was not so difficult that you had to be a career spymaster.
"Use of default, easily guessed, and unencrypted passwords significantly increases the risk of unauthorized access," states the GAO report.
"We are often able to guess many passwords on the basis of our knowledge of commonly used passwords and to observe computer users' keying in passwords and then use those passwords to obtain 'high level' system administration privileges."
GAO Easily Broke Into Federal Computers
"In almost every test, our auditors have been successful in readily gaining unauthorized access that would allow both internal and external intruders to read, modify, or delete data for whatever purpose they had in mind," stated the GAO.
One area in which I have been very hard on the federal government is its lack of basic audit trail designs. Simply put, an audit trail keeps track of who has access to your data and logs when they looked at it.
Good systems have audit trails built into them as a matter of standard design. This allows individuals to find out who is looking at their records and ask why. It also allows managers to track unauthorized users who are scanning data.
However, according to the GAO, "user activity was inadequately monitored" on virtually all of the U.S. government computer systems they managed to penetrate.
"Much of the activity associated with our intrusion testing had not been recognized and recorded, and the problem reports that were recorded did not recognize the magnitude of our activity or the severity of the security breaches we initiated," concluded the GAO report.
What good is computer security when, electronically speaking, you leave the front door wide open?
U.S. Military Cannot Fix Known Security Flaws
The lack of simple password security and poor audit trail design is bad enough, but even the U.S. military cannot manage to fix known flaws inside its own computer systems.
The Defense Department recently suffered from an expensive hack attack from Britain. As a result of an intensive investigation, a British computer administrator was arrested on charges that he broke into 92 U.S. computers, causing nearly a million dollars in damages.
According to the GAO report, the British hacker easily obtained access to the U.S. military computers using automated software freely available on the Internet to scan for known flaws in Microsoft's Windows NT operating systems.
President at Risk
In the wake of Sept. 11, one would think that the U.S. military would tighten up its computer and communications security. In fact, even President Bush suffered from poor military communications security during the crisis on Sept. 11.
According to Aviation Week and Space Technology, U.S. Air Force F-16 Falcons ordered to patrol the skies above Washington, D.C., were not equipped with secure radios.
The lack of secure radios forced the F-16 pilots to communicate in the open with military controllers on the exact location and time to meet Air Force One when President Bush returned to Washington, D.C.
The time to fix such problems is long past. Clearly, the U.S. government can put out the effort to electronically protect the president. Yet, at the same time, the federal government wants to electronically risk the lives of countless other individuals for no good reason.
The federal government is poorly equipped to deal with computer security simply because privacy and security are often not in its best interests. The government wants to have more information about you and must have free access to it 24 hours a day, seven days a week.
SSN and Credit History Freely Available to Hack
For example, making information easily available for hackers is not something that the federal government should do. Yet, according to officials in Hanover County, Va., that is exactly what the U.S. government compelled them to do.
In order to obtain a share of the U.S. government Technology Trust Fund, Hanover officials began to post normal county court information on the Internet. This information included Social Security numbers, credit histories and even signatures from a variety of court records, including deeds and marriage licenses.
Thus, the federal government, armed with your tax dollars as an incentive, made the private lives and electronic identities of innocent individuals available for any hacker to freely hijack. The GAO report clearly noted that the federal government is ill equipped to deal with its own computer security over existing systems.
The Bush administration appears to have forgotten the lesson of 900 stolen FBI files found inside the Clinton White House. The recent addition of Ashcroft's new terror tracking system along with several other intrusive and poorly conceived computer tracking operations will not provide national security.
Instead, political hackers and real computer terrorists will have new fertile grounds for future attacks.
They also forgot to investigate/prosecute/punish the guilty, but I'm sure they'll look into it after the statue of limitations runs out -- when is that -- next year I believe?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.